[DOCS] Add warning about Docker port exposure (#50169)

Docker bypasses the Uncomplicated Firewall (UFW) on Linux by editing the `iptables` config directly, which leads to the exposure of port 9200, even if you blocked it via UFW. This adds a warning along with work-arounds to the docs. Signed-off-by: Kovah <mail@kovah.de>
2025-02-23 13:26:02 +00:00 · 2019-12-18 15:03:45 +01:00 · 2019-12-18 15:03:45 +01:00 · cbffd127d5
commit cbffd127d5
parent 7c5a3bcf6d
1 changed files with 6 additions and 0 deletions
--- a/docs/reference/setup/install/docker.asciidoc
+++ b/docs/reference/setup/install/docker.asciidoc
@ -87,6 +87,12 @@ endif::[]
 This sample Docker Compose file brings up a three-node {es} cluster.
 Node `es01` listens on `localhost:9200` and `es02` and `es03` talk to `es01` over a Docker network.

+Please note that this configuration exposes port 9200 on all network interfaces, and given how 
+Docker manipulates `iptables` on Linux, this means that your {es} cluster is publically accessible, 
+potentially ignoring any firewall settings. If you don't want to expose port 9200 and instead use 
+a reverse proxy, replace `9200:9200` with `127.0.0.1:9200:9200` in the docker-compose.yml file.
+{es} will then only be accessible from the host machine itself.
+
 The  https://docs.docker.com/storage/volumes[Docker named volumes]
 `data01`, `data02`, and `data03` store the node data directories so the data persists across restarts.
 If they don't already exist, `docker-compose` creates them when you bring up the cluster.